Release v2023.11.02.1 (#1609)

* Revert "test(login): fix login integration test (#1587)"

This reverts commit f1e012a.

* Revert "feat(security): encrypt login password (#1583)"

This reverts commit d010da5.

* update release version to 2023.11.02.1

pkg/apiserver/user/auth.go

@@ -3,7 +3,6 @@
 package user
 
 import (
-	"crypto/rsa"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -36,9 +35,6 @@ type AuthService struct {
 
 	middleware     *jwt.GinJWTMiddleware
 	authenticators map[utils.AuthType]Authenticator
-
-	RsaPublicKey  *rsa.PublicKey
-	RsaPrivateKey *rsa.PrivateKey
 }
 
 type AuthenticateForm struct {
@@ -94,17 +90,10 @@ func NewAuthService(featureFlags *featureflag.Registry) *AuthService {
 		secret = cryptopasta.NewEncryptionKey()
 	}
 
-	privateKey, publicKey, err := GenerateKey()
-	if err != nil {
-		log.Fatal("Failed to generate rsa key pairs", zap.Error(err))
-	}
-
 	service := &AuthService{
 		FeatureFlagNonRootLogin: featureFlags.Register("nonRootLogin", ">= 5.3.0"),
 		middleware:              nil,
 		authenticators:          map[utils.AuthType]Authenticator{},
-		RsaPrivateKey:           privateKey,
-		RsaPublicKey:            publicKey,
 	}
 
 	middleware, err := jwt.New(&jwt.GinJWTMiddleware{
@@ -122,16 +111,6 @@ func NewAuthService(featureFlags *featureflag.Registry) *AuthService {
 			if err != nil {
 				return nil, errorx.Decorate(err, "authenticate failed")
 			}
-			// TODO: uncomment it after thinking clearly
-			// if form.Type == 0 {
-			// 	// generate new rsa key pair for each sql auth login
-			// 	privateKey, publicKey, err := GenerateKey()
-			// 	// if generate successfully, replace the old key pair
-			// 	if err == nil {
-			// 		service.RsaPrivateKey = privateKey
-			// 		service.RsaPublicKey = publicKey
-			// 	}
-			// }
 			return u, nil
 		},
 		PayloadFunc: func(data interface{}) jwt.MapClaims {
@@ -299,8 +278,7 @@ func (s *AuthService) RegisterAuthenticator(typeID utils.AuthType, a Authenticat
 }
 
 type GetLoginInfoResponse struct {
-	SupportedAuthTypes []int  `json:"supported_auth_types"`
-	SQLAuthPublicKey   string `json:"sql_auth_public_key"`
+	SupportedAuthTypes []int `json:"supported_auth_types"`
 }
 
 // @ID userGetLoginInfo
@@ -320,16 +298,8 @@ func (s *AuthService) GetLoginInfoHandler(c *gin.Context) {
 		}
 	}
 	sort.Ints(supportedAuth)
-	// both work
-	// publicKeyStr, err := ExportPublicKeyAsString(s.rsaPublicKey)
-	publicKeyStr, err := DumpPublicKeyBase64(s.RsaPublicKey)
-	if err != nil {
-		rest.Error(c, err)
-		return
-	}
 	resp := GetLoginInfoResponse{
 		SupportedAuthTypes: supportedAuth,
-		SQLAuthPublicKey:   publicKeyStr,
 	}
 	c.JSON(http.StatusOK, resp)
 }

pkg/apiserver/user/sqlauth/sqlauth.go

@@ -15,8 +15,7 @@ const typeID utils.AuthType = 0
 
 type Authenticator struct {
 	user.BaseAuthenticator
-	tidbClient  *tidb.Client
-	authService *user.AuthService
+	tidbClient *tidb.Client
 }
 
 func NewAuthenticator(tidbClient *tidb.Client) *Authenticator {
@@ -27,7 +26,6 @@ func NewAuthenticator(tidbClient *tidb.Client) *Authenticator {
 
 func registerAuthenticator(a *Authenticator, authService *user.AuthService) {
 	authService.RegisterAuthenticator(typeID, a)
-	a.authService = authService
 }
 
 var Module = fx.Options(
@@ -36,12 +34,7 @@ var Module = fx.Options(
 )
 
 func (a *Authenticator) Authenticate(f user.AuthenticateForm) (*utils.SessionUser, error) {
-	plainPwd, err := user.Decrypt(f.Password, a.authService.RsaPrivateKey)
-	if err != nil {
-		return nil, user.ErrSignInOther.WrapWithNoMessage(err)
-	}
-
-	writeable, err := user.VerifySQLUser(a.tidbClient, f.Username, plainPwd)
+	writeable, err := user.VerifySQLUser(a.tidbClient, f.Username, f.Password)
 	if err != nil {
 		if errorx.Cast(err) == nil {
 			return nil, user.ErrSignInOther.WrapWithNoMessage(err)
@@ -59,7 +52,7 @@ func (a *Authenticator) Authenticate(f user.AuthenticateForm) (*utils.SessionUse
 		Version:      utils.SessionVersion,
 		HasTiDBAuth:  true,
 		TiDBUsername: f.Username,
-		TiDBPassword: plainPwd,
+		TiDBPassword: f.Password,
 		DisplayName:  f.Username,
 		IsShareable:  true,
 		IsWriteable:  writeable,

release-version

@@ -1,3 +1,3 @@
 # This file specifies the TiDB Dashboard internal version, which will be printed in `--version`
 # and UI. In release branch, changing this file will result in publishing a new version and tag.
-2023.09.21.1
+2023.11.02.1

tests/integration/info/info_test.go

@@ -96,8 +96,7 @@ func (s *testInfoSuite) getTokenBySQLRoot() string {
 	param := make(map[string]interface{})
 	param["type"] = 0
 	param["username"] = "root"
-	pwd, _ := user.Encrypt("", s.authService.RsaPublicKey)
-	param["password"] = pwd
+	param["password"] = ""
 
 	jsonByte, _ := json.Marshal(param)
 	req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))

tests/integration/user/user_test.go

@@ -93,8 +93,7 @@ func (s *testUserSuite) TestLoginWithNotExistUser() {
 	param := make(map[string]interface{})
 	param["type"] = 0
 	param["username"] = "not_exist"
-	pwd, _ := user.Encrypt("aaa", s.authService.RsaPublicKey)
-	param["password"] = pwd
+	param["password"] = "aaa"
 
 	jsonByte, _ := json.Marshal(param)
 	req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
@@ -110,8 +109,7 @@ func (s *testUserSuite) TestLoginWithWrongPassword() {
 	param := make(map[string]interface{})
 	param["type"] = 0
 	param["username"] = "dashboardAdmin"
-	pwd, _ := user.Encrypt("123456789", s.authService.RsaPublicKey)
-	param["password"] = pwd
+	param["password"] = "123456789"
 
 	jsonByte, _ := json.Marshal(param)
 	req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
@@ -127,8 +125,7 @@ func (s *testUserSuite) TestLoginWithInsufficientPrivs() {
 	param := make(map[string]interface{})
 	param["type"] = 0
 	param["username"] = "dashboardAdmin-2"
-	pwd, _ := user.Encrypt("12345678", s.authService.RsaPublicKey)
-	param["password"] = pwd
+	param["password"] = "12345678"
 
 	jsonByte, _ := json.Marshal(param)
 	req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
@@ -145,8 +142,7 @@ func (s *testUserSuite) TestLoginWithSufficientPrivs() {
 		param := make(map[string]interface{})
 		param["type"] = 0
 		param["username"] = "dashboardAdmin"
-		pwd, _ := user.Encrypt("12345678", s.authService.RsaPublicKey)
-		param["password"] = pwd
+		param["password"] = "12345678"
 
 		jsonByte, _ := json.Marshal(param)
 		req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
@@ -181,8 +177,7 @@ func (s *testUserSuite) TestLoginWithWrongPasswordForRoot() {
 	param := make(map[string]interface{})
 	param["type"] = 0
 	param["username"] = "root"
-	pwd, _ := user.Encrypt("aaa", s.authService.RsaPublicKey)
-	param["password"] = pwd
+	param["password"] = "aaa"
 
 	jsonByte, _ := json.Marshal(param)
 	req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
@@ -198,8 +193,7 @@ func (s *testUserSuite) TestLoginWithCorrectPasswordForRoot() {
 	param := make(map[string]interface{})
 	param["type"] = 0
 	param["username"] = "root"
-	pwd, _ := user.Encrypt("", s.authService.RsaPublicKey)
-	param["password"] = pwd
+	param["password"] = ""
 
 	jsonByte, _ := json.Marshal(param)
 	req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
@@ -216,33 +210,6 @@ func (s *testUserSuite) TestLoginWithCorrectPasswordForRoot() {
 	s.Require().Nil(err)
 }
 
-// TODO: uncomment it after thinking clearly
-// func (s *testUserSuite) TestLoginWithSamePayloadTwice() {
-// 	param := make(map[string]interface{})
-// 	param["type"] = 0
-// 	param["username"] = "root"
-// 	pwd, _ := user.Encrypt("", s.authService.RsaPublicKey)
-// 	param["password"] = pwd
-
-// 	// success at the first time
-// 	jsonByte, _ := json.Marshal(param)
-// 	req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
-// 	c, w := util.TestReqWithHandlers(req, s.authService.LoginHandler)
-
-// 	s.Require().Len(c.Errors, 0)
-// 	s.Require().Equal(200, c.Writer.Status())
-// 	s.Require().Equal(200, w.Code)
-
-// 	// fail at the second time
-// 	req, _ = http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
-// 	c, w = util.TestReqWithHandlers(req, s.authService.LoginHandler)
-
-// 	s.Require().Contains(c.Errors.Last().Err.Error(), "authenticate failed")
-// 	s.Require().Contains(c.Errors.Last().Err.Error(), "crypto/rsa: decryption error")
-// 	s.Require().Equal(401, c.Writer.Status())
-// 	s.Require().Equal(401, w.Code)
-// }
-
 func (s *testUserSuite) TestLoginInfo() {
 	req, _ := http.NewRequest(http.MethodGet, "/user/login_info", nil)
 	c, w := util.TestReqWithHandlers(req, s.authService.GetLoginInfoHandler)

ui/packages/tidb-dashboard-client/src/client/api/models/user-get-login-info-response.ts

@@ -20,12 +20,6 @@
  * @interface UserGetLoginInfoResponse
  */
 export interface UserGetLoginInfoResponse {
-    /**
-     * 
-     * @type {string}
-     * @memberof UserGetLoginInfoResponse
-     */
-    'sql_auth_public_key'?: string;
     /**
      * 
      * @type {Array<number>}

ui/packages/tidb-dashboard-client/swagger/spec.json

@@ -5776,9 +5776,6 @@
         "user.GetLoginInfoResponse": {
             "type": "object",
             "properties": {
-                "sql_auth_public_key": {
-                    "type": "string"
-                },
                 "supported_auth_types": {
                     "type": "array",
                     "items": {

ui/packages/tidb-dashboard-for-op/package.json

@@ -29,7 +29,6 @@
     "compare-versions": "^5.0.1",
     "eventemitter2": "^6.4.5",
     "i18next": "^23.2.9",
-    "jsencrypt": "^3.3.2",
     "nprogress": "^0.2.0",
     "rc-animate": "^3.1.0",
     "react": "^17.0.2",